From the “WebKit Flaws” files:
Apple is updating its Safari Web browser to version 4.0.4 to fix 7 identified CVE’s (Common Vulnerabilities and Exposures) spread across both Mac and Windows versions of the software.
Three of the fixes are for Safari’s core WebKit rendering engine and in my opinion they’re critical issues. What’s particularly interesting is how the issues were identified in one case by Google and in the other by Apple. Both Google and Apple rely on WebKit as the key rendering infrastructure for their respective browsers.
One of the issues is a Cross Site Request Forgery (CSRF) flaw in how WebKit enables a page from one location to access a resource in another place.
“WebKit sends a preflight request to the latter server for access to the resource,” Apple’s advisory states. “WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery.”
That’s pretty serious and in my opinion, not terribly difficult to execute either. What makes this vulnerability even more ominous is the fact that it’s in WebKit — it could potentially have found its way into the iPhone or Google’s Chrome too. This particular vulnerability was discovered by Apple’s own security researchers.